From 78047fa17be13a4968d41ad187641d6229ebd5a4 Mon Sep 17 00:00:00 2001 From: Rick Chen Date: Tue, 16 Mar 2021 17:43:57 +0800 Subject: [PATCH] sensors: Add sensor related rule to chre. [ 8.417813] type=1400 audit(1615518074.988:4): avc: denied { write } for comm="sensors@2.0-ser" name="chre" dev="tmpfs" ino=908 scontext=u:r:hal_sensors_default:s0 tcontext=u:object_r:chre_socket:s0 tclass=sock_file permissive=1 [ 8.418075] type=1400 audit(1615518074.988:5): avc: denied { connectto } for comm="sensors@2.0-ser" path="/dev/socket/chre" scontext=u:r:hal_sensors_default:s0 tcontext=u:r:chre:s0 tclass=unix_stream_socket permissive=1 03-12 11:01:14.988 694 694 I sensors@2.0-ser: type=1400 audit(0.0:5): avc: denied { connectto } for path="/dev/socket/chre" scontext=u:r:hal_sensors_default:s0 tcontext=u:r:chre:s0 tclass=unix_stream_socket permissive=1 Also merge two sensor_hal related files into single file. Bug: 182523946 Test: make selinux_policy -j128 and push to device. No hal_sensors_default related avc deined log during boot. Signed-off-by: Rick Chen Change-Id: I49ce71ba4703528fb2e26dd8956c4ed741337ffc --- tracking_denials/hal_sensors_default.te | 59 ------------------- usf/sensor_hal.te | 31 ++++++++++ .../vendor/google/hal_sensors_default.te | 23 -------- 3 files changed, 31 insertions(+), 82 deletions(-) delete mode 100644 tracking_denials/hal_sensors_default.te delete mode 100644 whitechapel/vendor/google/hal_sensors_default.te diff --git a/tracking_denials/hal_sensors_default.te b/tracking_denials/hal_sensors_default.te deleted file mode 100644 index b3331836..00000000 --- a/tracking_denials/hal_sensors_default.te +++ /dev/null @@ -1,59 +0,0 @@ -# b/182086633 -dontaudit hal_sensors_default servicemanager:binder { call }; -dontaudit hal_sensors_default device:dir { read }; -dontaudit hal_sensors_default device:dir { watch }; -dontaudit hal_sensors_default aoc_device:chr_file { read write }; -dontaudit hal_sensors_default aoc_device:chr_file { open }; -dontaudit hal_sensors_default mnt_vendor_file:dir { search }; -dontaudit hal_sensors_default persist_file:dir { search }; -dontaudit hal_sensors_default persist_file:dir { getattr }; -dontaudit hal_sensors_default persist_file:dir { read }; -dontaudit hal_sensors_default persist_file:dir { open }; -dontaudit hal_sensors_default persist_file:file { getattr }; -dontaudit hal_sensors_default persist_file:file { read }; -dontaudit hal_sensors_default persist_file:file { open }; -dontaudit hal_sensors_default vendor_data_file:dir { read }; -dontaudit hal_sensors_default vendor_data_file:dir { open }; -dontaudit hal_sensors_default vendor_data_file:file { getattr }; -dontaudit hal_sensors_default vendor_data_file:file { read }; -dontaudit hal_sensors_default vendor_data_file:file { open }; -dontaudit hal_sensors_default fwk_stats_service:service_manager { find }; -dontaudit hal_sensors_default servicemanager:binder { call }; -dontaudit hal_sensors_default servicemanager:binder { transfer }; -dontaudit hal_sensors_default servicemanager:binder { transfer }; -dontaudit hal_sensors_default servicemanager:binder { call }; -dontaudit hal_sensors_default aoc_device:chr_file { getattr }; -dontaudit hal_sensors_default aoc_device:chr_file { read write }; -dontaudit hal_sensors_default aoc_device:chr_file { open }; -dontaudit hal_sensors_default vendor_data_file:file { write }; -dontaudit hal_sensors_default sysfs_aoc_boottime:file { read }; -dontaudit hal_sensors_default sysfs_aoc_boottime:file { open }; -dontaudit hal_sensors_default sysfs_aoc_boottime:file { getattr }; -dontaudit hal_sensors_default vendor_data_file:file { write }; -dontaudit hal_sensors_default vendor_data_file:file { read }; -dontaudit hal_sensors_default vendor_data_file:file { getattr }; -dontaudit hal_sensors_default persist_file:dir { search }; -dontaudit hal_sensors_default vendor_data_file:dir { open }; -dontaudit hal_sensors_default aoc_device:chr_file { read write }; -dontaudit hal_sensors_default vendor_data_file:dir { read }; -dontaudit hal_sensors_default persist_file:file { open }; -dontaudit hal_sensors_default vendor_data_file:file { open }; -dontaudit hal_sensors_default sysfs_aoc_boottime:file { getattr }; -dontaudit hal_sensors_default sysfs_aoc_boottime:file { open }; -dontaudit hal_sensors_default sysfs_aoc_boottime:file { read }; -dontaudit hal_sensors_default persist_file:file { read }; -dontaudit hal_sensors_default persist_file:file { getattr }; -dontaudit hal_sensors_default device:dir { read }; -dontaudit hal_sensors_default persist_file:dir { open }; -dontaudit hal_sensors_default persist_file:dir { read }; -dontaudit hal_sensors_default persist_file:dir { getattr }; -dontaudit hal_sensors_default vendor_data_file:file { open }; -dontaudit hal_sensors_default mnt_vendor_file:dir { search }; -dontaudit hal_sensors_default device:dir { read }; -dontaudit hal_sensors_default device:dir { watch }; -dontaudit hal_sensors_default servicemanager:binder { transfer }; -dontaudit hal_sensors_default aoc_device:chr_file { open }; -# b/182523946 -dontaudit hal_sensors_default chre_socket:sock_file { write }; -dontaudit hal_sensors_default chre:unix_stream_socket { connectto }; -dontaudit hal_sensors_default chre:unix_stream_socket { connectto }; diff --git a/usf/sensor_hal.te b/usf/sensor_hal.te index afb74634..84d1caff 100644 --- a/usf/sensor_hal.te +++ b/usf/sensor_hal.te @@ -20,3 +20,34 @@ allow hal_sensors_default sysfs_aoc_boottime:file rw_file_perms; # Allow create thread to watch AOC's device. allow hal_sensors_default device:dir r_dir_perms; + +# Allow access to the files of CDT information. +r_dir_file(hal_sensors_default, sysfs_chosen) + +# Allow display_info_service access to the backlight driver. +allow hal_sensors_default sysfs_leds:dir search; +allow hal_sensors_default sysfs_leds:file rw_file_perms; + +# Allow access to the power supply files for MagCC. +r_dir_file(hal_sensors_default, sysfs_batteryinfo) +allow hal_sensors_default sysfs_wlc:dir r_dir_perms; + +# Allow access to sensor service for sensor_listener. +binder_call(hal_sensors_default, system_server); + +# Allow access to the stats service. +allow hal_sensors_default fwk_stats_hwservice:hwservice_manager find; + +# Allow access to the sysfs_aoc. +allow hal_sensors_default sysfs_aoc:dir search; + +# +# Suez type enforcements. +# + +# Allow SensorSuez to connect AIDL stats. +binder_use(hal_sensors_default); +allow hal_sensors_default fwk_stats_service:service_manager find; + +# Allow access to CHRE socket to connect to nanoapps. +unix_socket_connect(hal_sensors_default, chre, chre) diff --git a/whitechapel/vendor/google/hal_sensors_default.te b/whitechapel/vendor/google/hal_sensors_default.te deleted file mode 100644 index 396fd3c5..00000000 --- a/whitechapel/vendor/google/hal_sensors_default.te +++ /dev/null @@ -1,23 +0,0 @@ -# Allow access to the files of CDT information. -r_dir_file(hal_sensors_default, sysfs_chosen) - -# Allow access to the leds driver. -allow hal_sensors_default sysfs_leds:dir search; -allow hal_sensors_default sysfs_leds:file rw_file_perms; - -# Allow access to the power supply files for MagCC. -r_dir_file(hal_sensors_default, sysfs_batteryinfo) -allow hal_sensors_default sysfs_wlc:dir r_dir_perms; - -# Allow access to sensor service for sensor_listener. -binder_call(hal_sensors_default, system_server); - -# Allow access to the stats service. -allow hal_sensors_default fwk_stats_hwservice:hwservice_manager find; - -# Allow access to the sysfs_aoc. -allow hal_sensors_default sysfs_aoc:dir search; - -# Allow SensorSuez to connect AIDL stats. -binder_use(hal_sensors_default); -allow hal_sensors_default fwk_stats_service:service_manager find;